Edit: Re-reading, I guess this is specifically targeted at Okta, who have had their share of problems.
A library, yes, but a library is not a service. If you self host your auth stack with trusted primitives from a well known crypto library, you're much better off than if you outsource the very security of your platform to a company that has time and time again shown that they are incapable of preserving the security of even their own employee's personal info, much less anyone else's. At this point it would be arguably criminally negligent to rely on them to protect any sort of private information for your customers.
If you self host, someone needs to personally pick you as a target and find a flaw you made to get into your system. With Okta, they in all likelihood already have access. I know this industry loves learned helplessness (especially when the solution is “you don’t have to know the fundamentals, just pay us every month and we’ll do them for you!”), but come on.
Also, there are super strong incentives to hack Okta, so naturally more people will try to hack Okta.
All of these failure modes need some sort of "customer support" to work out, otherwise they'll not be used by users at all or they'll lead to shitstorms when people are locked out of their identity. And if the customer support makes errors or gets bribed, you'll get shitstormed too.
And allowing people to back-up their keys isn't an option either because that defeats the purpose of why you have an HSM anyway.
Security is hard, PKI is even harder.
That's certainly what they want you to think. But hooking into a system where every support engineer's full contact info (and every other employee besides) is already leaked to hackers to do all the social engineering/extortion they might want, is faaaaarrrrr more insecure than using some trusted crypto primitives to validate a password, or send an email.
If you can get away with it, just email magic links or bog standard username/password that everyone knows and every credential manager can trivially incorporate with. If you need SSO (for your big enterprise contract to go through), the story is a bit different because in all likelihood every other thing they interface with is already using Okta, but that doesn't mean you must use them too.
> Also, there are super strong incentives to hack Okta, so naturally more people will try to hack Okta.
Why would you purposefully pick such a massive target? Especially one that is currently compromised, and can't even be trusted to protect themselves? Just last month hackers got all the personal information of all Okta employees.
